Sponsors

IRS Warns Of Company W-2 and Wire Fraud Scam

The Internal Revenue Service is warning people of a new kind of phishing scam that criminals are using to trick companies into providing wage information on their employees and making sham wire transfers.

The IRS said there have been a number of companies that have lost out on thousands of dollars because of the fraud. The criminals are widening their scope of potential victims to non-profit organizations, chain restaurants, school districts, etc.

John Koskinen is an IRS commissioner who said it’s one of the most dangerous email phishing scams that’s been seen in quite some time. It can cause wide-scale theft of private information that criminals will use to carry out various criminal activities such as filing false tax returns.

The IRS saw the attempts first tried on companies in 2016 – they wanted the company to send out employees’ personal information and W-2 – all information to attain a tax return. To trick them, they would alter the email address to look as if somebody in the organization was asking for it – usually payroll or human resources officers the spoofed folks.

The IRS warned it was seeing both that scam and another fraudulent wire transfers.

A Look At The Wire Fraud

If the criminals can attain the W-2 information, they’ll start another scam – wire fraud. There have been some companies dubbed by both of the scams, losing thousands of dollars and precious employee W-2 information.

In the last several years, criminals have had major success with the scams, usually from spoofing or comprising a company’s business email. The FBI began to keep track of the activity in 2013 and, since that time, have managed to steal or tried to steal around $3.1 billion around the world. The scam is rather simple, taking advantage of any weak internal spots. Spoofing an email address is rather easy and difficult to identify. They often use one letter difference of a domain name, hoping nobody catches on.

Today’s problems are the results of a huge design flaw in the email protocol. SMTP won’t verify the sender’s domain in the “from” field from the one where the email is actually being sent. However, DomainKeys Identified Mail is using technology that can do this, and more and more folks are going with it.

The real smart criminals will use phishing scams to attain email credentials to log into actual accounts. They do a lot of research to determine what a company’s procedures are and create an email wire transfer request so looks legit.

To combat the problem, the IRS said employers need to create an internal policy to distribute their employees’ W-2 and how to handle wire transfers. The agency suggests email requests be verified with the person – in person or by phone. It should be considered for W-2s as well.

The IRS does have some measures in place to identify fake tax returns if a company reports W-2 theft. And, it wants people to file a report using the FBI Internet Crime Complaint Center.